29 March 2018
Comments by the Centre for Information Policy Leadership on the Article 29 Data Protection Working Party’s “Draft Guidelines on the accreditation of certification bodies under Regulation (EU) 2016/679” adopted on 6 February 2018 On 6 February 2018, the Article 29 Data Protection Working Party (WP) adopted its Draft Guidelines on the accreditation of certification bodies under Regulation (EU) 2016/679 (Draft Guidelines).1 The WP invited public comments on this document by 30 March 2018. The Draft Guidelines provide guidance on how to interpret and implement Article 43 (certification bodies) of the GDPR, focussing mainly on the applicable standards for both National Accreditation Bodies (NABs) and Supervisory Authorities (SAs) for accrediting certification bodies under Article 43.1. The Draft Guidelines also envision an Annex containing a more detailed “framework for identifying accreditation criteria [for certification bodies]”.2 The WP has noted that the Annex will be prepared at a later stage to “take into account comments submitted in the framework of the ongoing public consultations”.3 The Centre for Information Policy Leadership (CIPL)4 welcomes the opportunity to submit the comments below, both as input for the WP’s final Guidelines and the content of the Annex to the Guidelines. Following CIPL’s 12 page submission, we attach the APEC Accountability Agent recognition criteria for the CBPR and PRP systems (see Annex) which could be instructive in any process of developing an EU-wide accreditation standard for certification bodies certified by SAs.
1
WP261 Article 29 Working Party Draft Guidelines on the accreditation of certification bodies under Regulation (EU) 2016/679, http://ec.europa.eu/newsroom/article29/document.cfm?doc_id=49877. 2 See Footnote 1, at page 12. 3 See WP announcement regarding public consultation deadline at http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614486. 4 CIPL is a global data privacy and cybersecurity think tank in the law firm of Hunton & Williams LLP and is financially supported by the law firm and 59 member companies that are leaders in key sectors of the global economy. CIPL’s mission is to engage in thought leadership and develop best practices that ensure both effective privacy protections and the responsible use of personal information in the modern information age. CIPL’s work facilitates constructive engagement between business leaders, privacy and security professionals, regulators and policymakers around the world. For more information, please see CIPL’s website at http://www.informationpolicycentre.com/. Nothing in this submission should be construed as representing the views of any individual CIPL member company or of the law firm of Hunton & Williams.
1